Re: Breach Impact Calculator

[Gary Flynn <flynngn () JMU EDU>]

Graham Toal wrote:

> > SearchSecurity.com has an interesting privacy impact
> > calculator they posted online.  You can punch some numbers in
> > and get an estimate for how much it will cost your
> > organization to recover from a breach:
> >
> > http://tinyurl.com/z67vc
>
>
> I don't even have to run it to know that it will give a
> huge number for even the smallest breach.  All of these
> cost calculators (cost of spam, cost of virtualization, etc)
> err on the high side by a couple of orders of magnitude
> to make some expensive thing seem worthwhile (anti-spam
> appliance, vmware server, hiring a security consultant...)
>
> Everyone has an interest it making security breaches seem
> expensive.  It brings more money to your department if you
> do it.  The classic case was the AT&T E911 document which
> they sold for $13 that was reported as being worth $80K.
>
> (Which is about the right rate of markup for any of these
> calculators - take the answer and divide by 6000 :-)   )


I think the problem is a line of reasoning such as:

1. SPAM email can contain malicious content or links.
2. Malicious content or links can compromise a desktop
   computer.
3. The desktop computer may be operated by someone with
   access to sensitive customer data.
4. Exposure of sensitive customer data can cost $$$$.
5. Therefore, SPAM may result in loss of $$$$.


--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature